Where Do Major Tech Companies Stand on Encryption?

Comparing the Public Encryption Policies from 21 of the Biggest Tech Companies

There’s a major battle brewing over encryption right now.

Law enforcement agencies are trying to demand “backdoors” to our sensitive data and communications, while civil liberties groups are fighting back through a new campaign called SaveCrypto. And President Obama seems to be trying to find a middle ground, eschewing legal mandates but continuing to informally pressure companies to provide unencrypted access to data.

So where do the tech companies stand?

Tech companies are in a unique position to know about and resist unofficial pressure from the government to provide access to user data. We hand over huge amounts of sensitive data to these companies while trusting them to keep it safe. Which companies are willing to go on the record as opposing backdoors?

We rounded up the public policies of 21 of the major tech companies so you can compare them.1Some of the statements are from our annual Who Has Your Back report, and some from company blogs and transparency reports.

Take a look:

Adobe

Adobe has not built ‘backdoors’ for any government—foreign or domestic—into our products or services. All government requests for user data need to come through the front door (i.e., by serving valid legal process upon the appropriate Adobe legal department). Adobe vigorously opposes legislation in the US and overseas that would in any way weaken the security of our products or our users’ privacy protections.

Amazon

While we recognize the legitimate needs of law enforcement agencies to investigate criminal and terrorist activity, and cooperate with them when they observe legal safeguards for conducting such investigations, we oppose legislation mandating or prohibiting security or encryption technologies that would have the effect of weakening the security of products, systems, or services our customers use, whether they be individual consumers or business customers.

Apple

In addition, Apple has never worked with any government agency from any country to create a “back door” in any of our products or services. We have also never allowed any government access to our servers. And we never will.

Apple deserves special praise for coming out with an even stronger statement against backdoors in its newly launched privacy website that explains the company’s policies. The new statement says:

Encryption protects trillions of online transactions every day. Whether you’re shopping or paying a bill, you’re using encryption. It turns your data into indecipherable text that can only be read by the right key. We’ve been protecting your data for over a decade with SSL and TLS in Safari, FileVault on Mac, and encryption that’s built into iOS. We also refuse to add a backdoor into any of our products because that undermines the protections we’ve built in. And we can’t unlock your device for anyone because you hold the key — your unique password. We’re committed to using powerful encryption because you should know the data on your device and the information you share with others is protected.

Comcast

Comcast does not support the creation of extra-legal "backdoors," or the inclusion of deliberate security weaknesses in open source or other software to facilitate surveillance without proper legal process.

Dropbox

Governments should never install backdoors into online services or compromise infrastructure to obtain user data. We’ll continue to work to protect our systems and to change laws to make it clear that this type of activity is illegal.

Microsoft

We’re also seeing officials around the world try to limit security measures such as encryption without making progress on the stronger legal protections that people deserve. The bottom line is that while governments only request data on a very small fraction of our customers, governments are seeking to alter the balance between privacy and public safety in a way that impacts everyone.

As we have said before, there are times when law enforcement authorities need to access data to protect the public. However, that access should be governed by the rule of law, and not by mandating backdoors or weakening the security of our products and services used by millions of law-abiding customers. This should concern all of us.

Transparency is a key value for us and an important feature in Slack itself. It’s this commitment to transparency that brings me to my last point — Slack opposes government-mandated “back-doors” of any kind but particularly a government-mandated requirement that would compromise data security.

Snapchat

Privacy and security are core values here at Snapchat and we strongly oppose any initiative that would deliberately weaken the security of our systems. We’re committed to keeping your data secure and we will update this report bi-annually.

Sonic

Finally, we are stating for the record our position regarding compelled inclusion of back doors, deliberate security weaknesses or disclosure of encryption keys. Sonic does not support these practices.

Tumblr:

Security: we believe that no government should install backdoors into web security protocols, or otherwise compromise the infrastructure of the internet. We'll fight the laws that allow them to do so, and we'll work to secure our users' data against such intrusions.

Wickr

We believe in robust and widespread cross-industry encryption and urge the U.S. government to adopt strong encryption standards to ensure the integrity of information of individuals, businesses and government agencies across the world.

Wordpress

Some governments have recently sought to weaken encryption, in the name of law enforcement. We disagree with these suggestions and do not believe that it’s feasible to include any deliberate security weaknesses or other back doors in encryption technologies, even if “only” for the benefit of law enforcement. As a wise man said, “there is no such thing as a vulnerability in technology that can only be used by nice people doing the right thing in accord with the rule of law.” We agree wholeheartedly.

Yahoo

We’ve encrypted many of our most important products and services to protect against snooping by governments or other actors. This includes encryption of the traffic moving between Yahoo data centers; making browsing over HTTPS the default on Yahoo Mail and Yahoo Homepage; and implementing the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We’ve also rolled out an end-to-end (e2e) encryption extension for Yahoo Mail, now available on GitHub. Our goal is to provide an intuitive e2e encryption solution for all of our users by the end of 2015. We are committed to the security of this solution and oppose mandates to deliberately weaken it or any other cryptographic system.

We urge you to reject any proposal that U.S. companies deliberately weaken the security of [our] products… Whether you call them “front doors” or “back doors,” introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.

What can we conclude from this? There’s tremendous amount of opposition among the technology companies against compelled backdoors.

Last week EFF, along with a diverse coalition of technology companies and civil liberties groups, launched SaveCrypto.Org, a petition site where concerned individuals can let President Obama know that the administration should come out in favor of strong encryption. While Obama has clarified his initial position, he’s also promised to respond to any We the People petition that gets over 100,000 signatures. That means there's still time to influence him.

In an era of ubiquitous malicious hacking and sensitive personal information data breaches, it’s time for President Obama to listen to Internet users and the companies that are standing up for users’ security and privacy.

You can add your voice to the petition below.

1.If you’d like to know the exact origin of a statement opposing encryption, please look through our Who Has Your Back report.

Wickr’s statement is available here: https://www.wickr.com/wp-content/uploads/2015/09/Transparency-Report-September-29-2015.pdf

Related Updates

The National Academy of Sciences (NAS) released a much-anticipated report yesterday that attempts to influence the encryption debate by proposing a “framework for decisionmakers.” At best, the report is unhelpful. At worst, its framing makes the task of defending encryption harder. The report collapses the question of whether the...

On January 25th, Reuters reported that software companies like McAfee, SAP, and Symantec allow Russian authorities to review their source code, and that "this practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies." The article goes on to explain what source code review...

Security is not a one-size-fits-all proposition, and features that are prohibitively inconvenient for some could be critical for others. For most users, standard account security settings options are sufficient protection against common threats. But for the small minority of users who might be targeted individually—like journalists, policy makers, campaign staff...

San Francisco – The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients. The ...

Perhaps you’re an office manager tasked with setting up a new email system for your nonprofit, or maybe you’re a legal secretary for a small firm and you’ve been asked to choose an app for scanning sensitive documents: you might be wondering how you can even begin to assess a...

The movement to encrypt the web reached milestone after milestone in 2017. The web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to...

If 2016 was the year government hacking went mainstream, 2017 is the year government hacking played the Super Bowl halftime show. It's not Fancy Bear and Cozy Bear making headlines. This week, the Trump administration publicly attributed the WannaCry ransomware attack to the Lazarus Group, which allegedly works...

EFF fights for technology users. We believe that empowering and protecting users should be baked into laws, policies, and court decisions, as well as into the technologies themselves. Since our founding in 1990, we have paired this goal with the common-sense recognition that in order to properly consider these questions...

Securely browsing the Internet—even when you know what you’re doing—is tough. That’s partly why, nearly seven years ago, EFF worked together with The Tor Project to develop a privacy tool called HTTPS Everywhere, which automatically provides users with secure, encrypted connections to websites when available. While HTTPS Everywhere can be...

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen...